Report Double Fetch Bug Found in Linux-4.6.1/kernel/auditsc.c

[Pengfei Wang]

Hello,


I found this Double-Fetch issue in Linux-4.6.1/kernel/auditsc.c when I
was examining the source code, which I think is a bug.


In function audit_log_single_execve_arg(), the whole argument is
fetched from user space twice via copy_from_user(). In the first loop,
it is firstly fetched (line 1038) to verify, aka looking for non-ascii
chars. While in the second loop, the whole argument is fetched again
(line 1105) from user space and used at line 1121 and line 1123
respectively depends on the previous verification.


However, a double fetch problem happens when the user space fetched
data is changed by a concurrently running user thread under race
condition during the verification and the usage, and the data
inconsistency will cause serious problems. In this case, the verified
non-ascii argument from the first loop is likely to be changed to an
ascii one (i.e. containing ‘ “ ’)  which will be used in the second
loop. Then the argument is passed to audit_log_string() as none-ascii,
then move forward in audit_log_n_string() of file audit.c, the string
is enclosed with quote marks as well. Since the string contains
another quote mark in the middle, problems will happen when processing
the string based on quote mark, e.g. the string will be recognized as
a shorter one based on the middle quote mark. I believe other
consequences are also likely to be caused once the none control string
is treated as a control string, or vice versa, which is very likely to
happen under double fetch situations.


I am looking forward to a reply to confirm this, thank you!



Kind regards

Pengfei
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit.zip
Type: application/zip
Size: 34545 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160620/8042f412/attachment.zip>